Investor group seeks probe into SEC hack, urges data rules delay

WASHINGTON (Reuters) - A global investor group on Friday called for an independent investigation into a cyber breach at the U.S. Securities and Exchange Commission (SEC) and urged the regulator to delay new data-gathering rules until it could assure investors that its computer systems were secure.

FILE PHOTO: The headquarters of the U.S. Securities and Exchange Commission (SEC) are seen in Washington,U.S., on July 6, 2009. REUTERS/Jim Bourg/File Photo

Wall Street’s top regulator came under fire on Thursday after admitting hackers had breached its database of corporate announcements in 2016 and might have used it for insider trading.

The Investment Company Institute (ICI), which represents over 95 million U.S. shareholders, wants the SEC to clear up concerns about its cyber defenses before requiring funds to submit monthly performance data to the regulator, Paul Schott Stevens, the group’s chief executive, told Reuters in a phone interview.

“What the SEC breach now makes very clear is precisely what we were concerned about - that market-sensitive information of that nature can be exploited to the disadvantage of millions and millions of investors,” Stevens said.

ICI, whose members hold $20 trillion plus in assets, has raised concerns about how the SEC safeguarded industry data it gathers since 2015.

“I’m certain there will be a full inquiry by the Government of Accountability Office - and there should be, so we understand exactly what happened here,” Stevens said.

In a July report, the Government Accountability Office (GAO), a congressional watchdog, criticized the SEC for failing to fully protect its computer networks from cyber attacks and recommended a slew of improvements. Some of recommendations it had made in previous reports had still not been implemented, it noted.

Former SEC Chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.

Her successor, Jay Clayton, uncovered the full extent of the hack after launching a review of the SEC’s cyber security standards earlier this year.

“Some recommendations the GAO made haven’t yet been implemented. There’s obviously a failure here of some kind. That’s why we’re so glad Chairman Clayton has moved to address this,” said Stevens.

The SEC declined to comment.

New reporting rules which start to come into force in December would require funds for the first time to confidentially file complete monthly portfolio holdings with the SEC, data which the ICI has said could easily be used for insider trading if obtained by hackers.

“Until that information security environment has been established, funds should continue to collect data quarterly, not monthly information, as quarterly data is not nearly as sensitive,” said Stevens.

The SEC disclosure came two weeks after credit-reporting company Equifax Inc said a breach had exposed sensitive personal of data up to 143 million U.S. customers. This followed last year’s cyber attack on SWIFT, the global bank messaging system.

Stevens said rules governing the disclosure of such breaches should be tighter for both public and private organizations.

“That disclosure obligation fixes the mind on need to fix the breach in the first instance.”